Any results from my software-related tinkering sessions, I consider worth sharing with the world.

Montag, 14. Mai 2012

SSH unlock with fully encrypted ubuntu 12.04 server

When operating a server with full system encryption it is often undesirable to enter the password with a local keyboard. However setting up unlocking via SSH with ubuntu 12.04 is quite a stony path as there are several bugs that need to be worked around, before it actually works. I put together a complete guide how to set it up. The tutorial is based on the setup created in the previous one.
So I assume your ubuntu 12.04 server is installed on a fully encrypted partition that is managed with LVM. The unlocking of the root-partition is done in the "initial ramdisk" that is stored on the unencrypted /boot partition. In order to enter this password over SSH, you need to add an SSH-server to your initial ramdisk. To keep the initial ramdisk small we use "dropbear" - an SSH-server implementatin for embedded systems.

# apt-get install openssh-server dropbear

The dropbear system-installation will automatically use the RSA and DSA keys provided by OpenSSH.
It is also automatically integrated into the initial ramdisk. However it generates a separate pair of keys for the initial ramdisk which can be undesirable because it will give you nasty "Host identification changed" errors when you connect to the ramdisk-system. So I decided to work around that by using the system-key-pair for the ramdisk as well:

# cp /etc/dropbear/dropbear_* /etc/initramfs-tools/etc/dropbear/

As the initial ramdisk will only contain a root-user, the root-user has to be activated and assigned a password.

# passwd root

Optional: If you like to authenticate using a public key you need to make sure the ramdisk accepts it:

After updating the initramfs you can reboot and login via SSH should work.

# update-initramfs -u
# reboot

However entering the password for the encrypted volume will not work because of a bug in plymouth that prevents other ways to enter the password. So another workaround is required.
Add another script "crypt_unlock" to /etc/initialramfs-tools/hooks:

Now when you boot into your initial ramdisk you can connect to your server via ssh and unlock the encrypted volume by typing

# unlock
Unlocking the disk /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (sda2_crypt)
Enter passphrase:
Reading all physical volumes. This may take a while...
Found volume group "mydisk" using metadata type lvm2
2 logical volume(s) in volume group "mydisk" now active
cryptsetup: sda2_crypt set up successfully
#

Congratulations! You should now be able to unlock your encrypted server without a local keyboard present.